Once phpMyAdmin is installed, it's best to deny access to the /phpmyadmin path from the internet as many automated scripts will be scanning your web server for potential routes into your system. I've seen this activity hitting my servers as soon as they are publicly available.

Lock down phpMyAdmin connections to allow from 127.0.0.1 only - we will use an SSH tunnel to connect.

After a bit of reading about the details, formatting of messages, and security of SMTP servers, I found the answer I was looking for here. It looks like a small sacrifice has to be made in masking the sender's email address, and just using the site email address - but this was fine for me, and it works.